diff options
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 10 | ||||
| -rw-r--r-- | src/backend/libpq/pg_hba.conf.sample | 46 |
2 files changed, 30 insertions, 26 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 7ba2a36e2c1..9067f532397 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,4 +1,4 @@ -<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.11 2001/05/12 22:51:34 petere Exp $ --> +<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.12 2001/07/11 20:32:10 momjian Exp $ --> <chapter id="client-authentication"> <title>Client Authentication</title> @@ -242,7 +242,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable of the connecting user. <productname>Postgres</productname> then verifies whether the so identified operating system user is allowed to connect as the database user that is requested. - This is only available for TCP/IP connections. + This is only available for TCP/IP connections. It can be used + on the local machine by specifying the localhost address 127.0.0.1. + </para> + <para> The <replaceable>authentication option</replaceable> following the <literal>ident</> keyword specifies the name of an <firstterm>ident map</firstterm> that specifies which operating @@ -553,7 +556,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron <attribution>RFC 1413</attribution> <para> The Identification Protocol is not intended as an authorization - or access control protocol. + or access control protocol. You must trust the machine running the + ident server. </para> </blockquote> </para> diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index c6711fc08e0..d9c05feb129 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -1,5 +1,5 @@ # -# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE +# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE # # # This file controls: @@ -101,9 +101,9 @@ # be use only for machines where all users are truested. # # password: Authentication is done by matching a password supplied -# in clear by the host. If no AUTH_ARGUMENT is used, the -# password is compared with the user's entry in the -# pg_shadow table. +# in clear by the host. If no AUTH_ARGUMENT is used, the +# password is compared with the user's entry in the +# pg_shadow table. # # If AUTH_ARGUMENT is specified, the username is looked up # in that file in the $PGDATA directory. If the username @@ -118,30 +118,30 @@ # passwords. # # crypt: Same as "password", but authentication is done by -# encrypting the password sent over the network. This is -# always preferable to "password" except for old clients -# that don't support "crypt". Also, crypt can use -# usernames stored in secondary password files but not -# secondary passwords. -# -# ident: Authentication is done by the ident server on the local -# or remote host. AUTH_ARGUMENT is required and maps names -# found in the $PGDATA/pg_ident.conf file. The connection -# is accepted if the file contains an entry for this map -# name with the ident-supplied username and the requested -# PostgreSQL username. The special map name "sameuser" -# indicates an implied map (not in pg_ident.conf) that -# maps each ident username to the identical PostgreSQL +# encrypting the password sent over the network. This is +# always preferable to "password" except for old clients +# that don't support "crypt". Also, crypt can use +# usernames stored in secondary password files but not +# secondary passwords. +# +# ident: Authentication is done by the ident server on the local +# (127.0.0.1) or remote host. AUTH_ARGUMENT is required and +# maps names found in the $PGDATA/pg_ident.conf file. The +# connection is accepted if the file contains an entry for +# this map name with the ident-supplied username and the +# requested PostgreSQL username. The special map name +# "sameuser" indicates an implied map (not in pg_ident.conf) +# that maps each ident username to the identical PostgreSQL # username. # -# krb4: Kerberos V4 authentication is used. +# krb4: Kerberos V4 authentication is used. # -# krb5: Kerberos V5 authentication is used. +# krb5: Kerberos V5 authentication is used. # # reject: Reject the connection. This is used to reject certain hosts -# that are part of a network specified later in the file. -# To be effective, "reject" must appear before the later -# entries. +# that are part of a network specified later in the file. +# To be effective, "reject" must appear before the later +# entries. # # Local UNIX-domain socket connections support only the AUTH_TYPEs of # "trust", "password", "crypt", and "reject". |